Application of VPN in network security

Virtual Private Network (VPN) refers to the use of unsafe public networks such as the Internet as a transmission medium, and through a series of security technology processes to achieve security performance similar to that of a private network and ensure the security of important information. A network technology for secure transmission.
1． Advantages of VPN technology
VPN technology has very outstanding advantages, including:
(1) Network communication security. VPN uses technologies such as secure tunnels to provide secure end-to-end connection services. When users at both ends of the VPN communicate on the Internet, the information transmitted is encrypted by the RSA asymmetric encryption algorithm, and its key is It is calculated by Diffie-Hellman algorithm, which can fully ensure the security of data communication.
(2) Convenient scalability. VPN technology is used to realize internal private networks within the enterprise and remote access for business personnel in remote areas, which has convenient and flexible scalability. First of all, it is very convenient to reconstruct the network. You only need to adjust the configuration to reconstruct the network. Secondly, it is convenient to expand the network. You only need to configure a few nodes and do not need to make engineering adjustments to the already built network.
(3) Convenient management. Using VPN networking, a large amount of network management work can be unified and implemented on the Internet service provider, thus reducing the burden of internal network management of the enterprise. At the same time, VPN also provides intelligent features in information transmission, routing and other aspects, and features that are independent from other network devices, and also provides users with flexible means of network management.
(4) Significant cost savings. Using the existing ubiquitous Internet to build an internal private network can save a lot of investment costs and subsequent operation and maintenance costs. In the past, to realize the interconnection between two remote networks, dedicated line connection was mainly used. The cost of this approach is too high. VPN is a highly secure virtual private network built on the Internet, so the cost is relatively low, and part of the operation and maintenance work can be placed on the service provider side, which can also save part of the maintenance costs.
2． Principles of VPN
Implementing VPN requires the use of a series of key security technologies, including:
(1) Secure tunnel technology. That is, the transmitted information is encrypted and protocol encapsulated, and then embedded into a data packet of another protocol and sent to the network, where it is transmitted like an ordinary data packet. After such processing, only the source and target users can extract and process the encrypted and encapsulated information, while for other users, this information is just meaningless garbage.
(2) User authentication technology. The user's identity is confirmed before the connection is started, and then the system performs corresponding authorization and resource access control based on the user's identity.
(3) Access control technology. The provider of the VPN service and the provider of the final network information resource jointly negotiate to determine the user's access rights to the resource, thereby implementing user-based access control and protecting information resources.
The structure of the VPN system is shown in Figure 16-12.

In Figure 16-12, the secure tunnel agent and management center form a secure transmission plane (Secure Transmission Plane, STP) to realize secure transmission on the Internet and corresponding system management functions. The User Authentication Management Center and the Key Distribution Center form the Common Function Plane (CFP), which is an auxiliary plane of the secure transmission plane. It mainly provides relatively independent user identity authentication and management, key distribution and management to the user agent. Function.
When establishing VPN communication, the VPN user agent requests the secure tunnel agent to establish a secure tunnel. After the secure tunnel agent accepts the request, it establishes a secure tunnel on the Internet under the control and management of the management center, and then reports to the user Provide transparent network transmission. VPN user agent includes three parts: secure tunnel terminal function, user authentication function and access control function, which together provide complete VPN services to upper-layer applications.
(1) Secure transmission plane. The secure transmission plane implements secure transmission on the Internet and corresponding system management functions, which is jointly completed by the secure tunnel agent and the management center.
① Secure tunnel proxy. The secure tunnel agent can connect multiple point-to-point secure channels into an end-to-end secure tunnel under the control of the management center. It is the main body of VPN, and its main functions are:
Establishing and releasing secure tunnels. According to the user agent's request, a point-to-point secure channel is established between the user agent and the secure tunnel proxy, and interactions such as user identity authentication and service level negotiation are performed in this secure channel. Performing the initialization process in a secure channel can fully protect the security of important information such as user authentication. Then, under the control of the management center, an end-to-end secure tunnel is established between the sending end and the receiving end, which is composed of several point-to-point secure channels connected in sequence. After the information transmission is completed, the secure tunnel connection can be interrupted by either agent of the communicating parties making a request to release the tunnel connection.
Verification of user identity. During the initialization process of establishing a secure tunnel, the secure tunnel agent requires the user agent to submit a certificate provided by the user authentication management center, and the identity of the user agent can be confirmed by verifying the certificate. If necessary, the user agent can also perform reverse authentication on the secure tunnel agent to further improve system security.
Negotiation of service levels. After the user identity is authenticated, the secure tunnel agent negotiates the service level with the user agent, determines the service level provided based on its requirements and the actual situation of the VPN system at that time, and reports it to the management center.
Transparent transmission of information. After the secure tunnel is established, the secure tunnel agent is responsible for the transmission of information between the communicating parties, and performs corresponding control based on the agreed service parameters to provide transparent VPN transmission services for applications on it.
Control and manage secure tunnels. During the period of maintaining the secure tunnel connection, the secure tunnel agent also manages and adjusts the network performance and service level of the established secure tunnel according to the management commands of the management center.
② VPN management center. The VPN management center is the core part of the entire VPN. It is directly connected with the security tunnel agent and is responsible for coordinating the work between the security tunnel agents on the secure transmission plane. Specific functions include:
Management and control of secure tunnels. Determine the best route and issue commands to all secure tunnel proxies contained on that route to establish secure tunnel connections. After the tunnel is established, the management center continues to monitor the working status of each tunnel connection. For security tunnels that have errors, the management center is responsible for reselecting the route and replacing the connection with a new route. During the communication process, management commands can also be sent to the agent on the corresponding security tunnel as needed to optimize network performance, adjust service levels, etc.
Monitoring and management of network performance. The management center continuously monitors the working status of each secure tunnel proxy, collects various VPN performance parameters, and completes functions such as VPN performance optimization and troubleshooting based on the collected data. At the same time, the management center is also responsible for completing common network management functions such as logging of various VPN events, user accounting, tracking and auditing, and fault reporting.
(2) Public functional plane. The public function plane is the auxiliary plane of the secure transmission plane. It provides relatively independent user identity authentication and management, key distribution and management functions to the VPN user agent, which are completed by the user authentication management center and VPN key distribution center respectively.
① Certification Management Center. The authentication management center provides user identity authentication and user management. User authentication is to objectively provide user identity authentication to one or both of the VPN user agent and secure tunnel agent as a third party, so that they can mutually confirm each other's identity.
User management refers to the user management part directly related to the user identity authentication function, that is, logging the credit level and authentication status of each user (including user agent, security tunnel agent, authentication management center, etc.), and It can be referred to when negotiating service levels between the VPN and the two parties establishing a secure tunnel. The management here is service-oriented, and user management functions related to user permissions, access control, etc. are not included here.
② Key distribution center. The key distribution center provides key distribution, recovery and management functions to both parties who need to authenticate and encrypt information. In a VPN system, user agents, secure tunnel agents, authentication management centers, etc. are all users of the key distribution center.
The use of VPN technology can not only ensure the connectivity and data sharing of the entire enterprise network, but also ensure the security of important data such as finance. It is a good solution for realizing local network interconnection within the enterprise. .